Look Both Ways: SAN Safety Precautions

Just when you'd think it would be okay for IT administrators to kick back and relax, they've been presented with a new set of worries: the security of their storage-area networks (SANs).

"SAN security now is where Internet security was five or 10 years ago," says Clement Kent, the vice president of product management for Kasten Chase Applied Research, a security firm based in Mississauga, Ontario.

The need for SANs and other storage techniques to perform at a high level is growing exponentially. Customer relationship management, business intelligence, and other procedures produce ever-higher mountains of data. These and other sales and marketing tools demand data be available instantaneously. Compounding the issue are new regulations, such as the Sarbanes-Oxley Act of 2002 and The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which make exacting demands on how information is processed and stored.

The storage infrastructure is struggling to keep pace. "SANs originally were a few computers talking to a few servers," says Kevin Brown, the vice president of marketing for Decru, a storage security appliance vendor based in Redwood City, Calif. "It was a relatively isolated and controllable environment. It has turned into giant networks with hundreds of devices, many interconnection points, and dozens of people touching [the data]."

There are several ways to think about SANs and storage. At each level — be it physical or electronic — the usual recommendation is a "defense in depth" strategy. As the name suggests, this approach relies on no single procedure or technology to safeguard the SAN. Instead, various security approaches permeate the storage network. IT managers must also recognize the need to prioritize as a way of maximizing budgets. "One of the things we suggest people do is look at which data is most valuable," Kent says. "You spend different amounts of money based on what you are defending."

The next important element is the physical security of the servers and tape backups. There are documented cases of employees simply sailing off with tapes and servers. "It could be as simple as what happens to data stored on tape," says Scott Gordon, the vice president of marketing for NeoScale, a data storage security firm based in Milpitas, Calif. "Tapes can have as much as half a terabyte [of data]. You can put up firewalls, but then someone walks out of the back end with tape media."